Skip to main content

Luna HSM Setup guide

Precondition: Ensure that there enabled network connection to Telia HSM Servers:

90.190.149.228:TCP\1792

90.190.149.230:TCP\1792

Container execution need to map following volumes:

Luna HSM client configuration, will be automatically extended during following setups tasks

-v C:/docker/dmss-digital-stamping-service/Chrystoki.conf:/usr/safenet/lunaclient/Chrystoki.conf

Certificates folder with subfolders will include needed connection certificates (Telia HSM), automatically extended during following setups tasks

-v C:/docker/dmss-digital-stamping-service/cert/:/usr/safenet/lunaclient/cert

Confs folder mapping for application.yml file autoloading by application

-v C:/docker/dmss-digital-stamping-service/:/confs

Container execution need to map environment variables:

Luna HSM client configuration location

-e ChrystokiConfigurationPath=/usr/safenet/lunaclient

Docker execution example based on my windows machine:

docker run --network signbox --name=dmss-digital-stamping-service-dev2 --restart always -p 8025:8084 -v C:/docker/dmss-digital-stamping-service/Chrystoki.conf:/usr/safenet/lunaclient/Chrystoki.conf -v C:/docker/dmss-digital-stamping-service/cert/:/usr/safenet/lunaclient/cert -v C:/docker/dmss-digital-stamping-service/:/confs -e ChrystokiConfigurationPath=/usr/safenet/lunaclient -e SPRING_CONFIG_LOCATION=/confs/ digitalmindss/dmss-digital-stamping-service:1.4.1

  1. Run dmss-digital-stamping-service CLI.

a. Execute following commands to register HSM Servers and certificates:

cd /usr/safenet/lunaclient

./bin/vtl addserver -n belger.ml.ee -c /usr/safenet/lunaclient/cert/belger.ml.ee.pem

./bin/vtl addserver -n akira.ml.ee -c /usr/safenet/lunaclient/cert/akira.ml.ee.pem

b. Execute following commands to generate clinet certificate

./bin/64/vtl createCert -n SERVERHOSTNAME (OR your external ip if it does not have FQDN, ex: ./bin/64/vtl createCert -n 80.233.152.54

./bin/vtl createCert -n 80.233.152.54

Send generated certificate file (NOT TO SEND KEY!) from mounted certs folder "/cert/client/" (for example /opt/dmss-digital-stamping-service/cert/client/194.19.232.34.pem) to Telia with your external IP address.

Telia will inform you if certificate imported and ip address registered in their infrastructure.

Telia will return you HSM partition PIN code.

Received PIN code store into application.yml file for "password" attribute value under companies provoder.

  1. Finalize HSM connection setup and servers.

    Run dmss-digital-stamping-service CLI.

    a. Execute following command to list partitions:

    cd /usr/safenet/lunaclient

    ./bin/vtl verify

    b. Execute following command to run Luna HSM console application

    ./bin/lunacm

    From executed lunacm console run one by one following commands:

    hagroup createGroup -label SERVERHOSTNAME\HA -serialNumber FROM THE OUTPUT OF VTL COMMAND

    hagroup addMember -group SERVERHOSTNAME\HA -serialNumber OTHER FROM THE OUTPUT OF VTL COMMAND

    hagroup recoveryMode -m activeBasic

    hagroup interval -i 60

    hagroup retry -c 500

    hagroup HAOnly -enable

    hagroup listGroups

    exit